ID Pocket: Password-less Sign-in

A private, password-less way to sign-in to websites

October 11, 2022 -- Ron Kreutzer

How many websites do you go to where the register or login page gives you options to sign-in with Facebook (or Google, Github, etc.)? Yeah, it’s any easy way to access that website, but have you thought about what personal data you just gave away? The website provider now knows one of your social media accounts. What they do with that can be nothing up to a lot of profiling of your demographics, political leanings, friends, etc. While that’s bad enough, the greater concern is what the identity verifier (Facebook, etc.) does with that data. That organization can now profile you based on all the sites you’ve logged into using this service, as well as track the time and location when you login again to any of those sites. Maybe they use that data for their own profit or maybe they also sell that data to others.

There is a more private way to do this. More and more websites and dApps allow you to register and sign-in using an Ethereum/web3 wallet app. You’ll see buttons for Sign-in with Ethereum (SIWE) or WalletConnect on these websites. You’ll be presented with a QR Code that you scan with your wallet app, then you’ll sign a message in your wallet app that proves you control a specific Ethereum address. Each time you login to that site, it matches your Ethereum address and knows that it’s really you.

No more passwords, and many times, no more sharing of your email address, as the site won’t have a legitimate use for it, as you Ethereum address uniquely identifies you.

Now, you probably don’t want to use the Ethereum address where you’ve stored a lot of cryptocurrency. It’s recommended to use a different Ethereum address for identity purposes that has little or no funds attached to it. Even better, you could use a different address for each website that you sign-in to. This is where digital identity wallets like ID Pocket become very useful. With ID Pocket, every sign-in you initiate creates a new identifier tied to a unique Ethereum address. The wallet takes care of managing all the keys for those addresses and remembering which identifier was used with which website.

The standards for this login approach are still evolving, especially with regard to the additional personal data that a website may require for registration, such as name, email or phone number. While we’re not a fan of how version 1 of SIWE uses ENS (Ethereum Name Service, similar to a personal domain name) to store profile information, version 2 promises to be more robust in that it will ask for specific information that you must consent to providing. Some of that personal data may need to be verified, in which case you’ll pass the website a Verifiable Credential containing that information.

ID Pocket already allows you to create Verifiable Credentials for your emails and phone numbers in the Personas section of the app. The app sends an authentication code to your email or phone, and you verify it once. Then when you register on a website, you won’t need to authenticate your email or phone again. Wait, no more authentication codes? Now that the website can verify that you control that Ethereum account, by having cryptographically signed a message with the private key to that account, no further authentication is necessary.

The latest version of ID Pocket supports version 2 of WalletConnect, alongside version 1, allowing compatibility with most all of the web3 login providers. In addition to password-less sign-in, ID Pocket allows you to capture, store and display paper identity documents, as well as storing and using Verifiable Credentials.

Back to blog home